principlejavascriptMajor
Security Groups vs NACLs: stateful vs stateless traffic control in VPC
Viewed 0 times
security groupsNACLnetwork ACLstatefulstatelessephemeral portsVPC firewallinbound outbound rules
Problem
Teams apply NACL rules expecting them to behave like Security Groups (stateful), leading to asymmetric traffic blocks where inbound is allowed but outbound ephemeral ports are blocked, causing mysterious connection timeouts.
Solution
Use Security Groups as the primary firewall — they are stateful (return traffic is automatically allowed). Use NACLs as a secondary layer only for broad subnet-level blocks (e.g., blocking known bad IP ranges). NACLs require explicit ALLOW rules for both inbound and outbound including ephemeral ports (1024-65535).
Why
Security Groups track connection state — if inbound is allowed, the return traffic is automatically permitted. NACLs are stateless — every packet is evaluated independently, requiring explicit rules in both directions for TCP handshakes and ephemeral ports.
Gotchas
- NACLs are evaluated in rule number order (lowest first) — an ALLOW at rule 100 and DENY at rule 200 allows the traffic
- Default NACL allows all traffic — custom NACLs deny all by default
- Security Groups cannot explicitly DENY — they only ALLOW. Use NACLs for deny rules
- Ephemeral ports (1024-65535) must be allowed outbound in NACL for response traffic to stateless TCP connections
- Security Groups can reference other Security Groups as sources — more maintainable than IP-based rules for internal traffic
Context
Configuring network-level security in AWS VPC
Revisions (0)
No revisions yet.